Author Topic: eBox-XEN-OpenVPN problem  (Read 4631 times)

kumar

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
eBox-XEN-OpenVPN problem
« on: December 24, 2007, 08:04:04 am »
BIG Thanks to the guys who have done VERY VERY GREAT JOB... 8)

I have been working on FreeBSD based pfsense from past one year, waiting for this type of firewall from longtime which is based on  Linux platform now I would like to move E-Box,

I have installed E-Box on  Xen layer, E-Box acting as a firewall for my VM's (Windows XP, Ubuntu ), I have tested some basic features, without any trouble everything is working great.

I got stuck with OpenVPN, everthing seems fine I am able to connect to OpenVPN server, but i am not able to ping windows XP Vm ( Disabled Firewall also in XP ) , I pass a rule in firewall section, log showing VPN Client connection initiated.

What might be the problem?

appriciate any help...

once again thanks for GREAT JOB..

kumar

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: eBox-XEN-OpenVPN problem
« Reply #1 on: December 24, 2007, 12:09:09 pm »
I found the problem.. working like a F16

The problem is i forgot to add comp-lzo in my  client configuration file..

if anybody need help on eBox - openVPN related please post here,, i will try to help you out..

thanks for the great product..

mujie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: eBox-XEN-OpenVPN problem
« Reply #2 on: February 10, 2008, 08:34:37 pm »
Yes Kumar, I need help here. I was successfully install the ebox platform and I have 1 ebox server and 2 windows XP with different network. Problem is, I was create 2 user with ebox, but XP client still can't login to it over VPN. Any suggestion, tips, or how to step by step will be apreciate. Thanks for your help.

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: eBox-XEN-OpenVPN problem
« Reply #3 on: February 11, 2008, 09:04:25 am »
Hello,
 i don't know if you case is  you cannot connecct to the VPN or  you could connect but not  log in your shares or domain.

If we have the first case I suggest you to take a look to this page:
http://www.ebox-platform.com/usersguide/en/html-chunk/ch17s02.html

mujie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: eBox-XEN-OpenVPN problem
« Reply #4 on: February 11, 2008, 03:59:28 pm »
Thanks for your quick reply Javier, I almost forgot something. Ebox using OpenVPN not a simple PPTP (PopTop) for VPN server, so I need a OpenVPN client for Windows XP which is I can found at http://www.openvpn.se/.

Another question, can I have access the share folder after VPN login first, if doesnt, I can't access the folder?

Updated :
Still no luck from Windows XP with OpenVPN client software  :(

Quote
Tue Feb 12 01:42:37 2008 Cannot load private key file myfileserver.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Tue Feb 12 01:42:37 2008 Error: private key password verification failed
Tue Feb 12 01:42:37 2008 Exiting

Updated :
I was able to connecting to the OpenVPN, finnally I found the problem where my Windows XP date its NOT SAME with the server.

Quote
Wed Feb 13 09:28:08 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Feb 13 09:28:08 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Feb 13 09:28:08 2008 LZO compression initialized
Wed Feb 13 09:28:08 2008 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Feb 13 09:28:08 2008 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Feb 13 09:28:08 2008 Local Options hash (VER=V4): '31fdf004'
Wed Feb 13 09:28:08 2008 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Feb 13 09:28:08 2008 Attempting to establish TCP connection with 100.100.1.15:1194
Wed Feb 13 09:28:08 2008 TCP connection established with 100.100.1.1:1194
Wed Feb 13 09:28:08 2008 TCPv4_CLIENT link local: [undef]
Wed Feb 13 09:28:08 2008 TCPv4_CLIENT link remote: 100.100.1.1:1194
Wed Feb 13 09:28:08 2008 TLS: Initial packet from 100.100.1.1:1194, sid=c3e0b34a 32b69f98
Wed Feb 13 09:28:08 2008 VERIFY OK: depth=1, /C=ES/ST=Nation/L=Nowhere/O=Server/CN=Certification_Authority_Certificate
Wed Feb 13 09:28:08 2008 VERIFY X509NAME OK: /C=ES/ST=Nation/L=Nowhere/O=Server/CN=Client
Wed Feb 13 09:28:08 2008 VERIFY OK: depth=0, /C=ES/ST=Nation/L=Nowhere/O=Server/CN=Client
Wed Feb 13 09:28:09 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 13 09:28:09 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 13 09:28:09 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Feb 13 09:28:09 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 13 09:28:09 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 13 09:28:09 2008 [Client] Peer Connection Initiated with 100.100.1.1:1194
Wed Feb 13 09:28:10 2008 SENT CONTROL [Client]: 'PUSH_REQUEST' (status=1)
Wed Feb 13 09:28:10 2008 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.168.0.1,ping 10,ping-restart 120,ifconfig 172.168.0.2 255.255.255.0'
Wed Feb 13 09:28:10 2008 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb 13 09:28:10 2008 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 13 09:28:10 2008 OPTIONS IMPORT: route options modified
Wed Feb 13 09:28:10 2008 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{6091B0CB-A2B0-40C2-A3EA-489F0D002888}.tap
Wed Feb 13 09:28:10 2008 TAP-Win32 Driver Version 8.4
Wed Feb 13 09:28:10 2008 TAP-Win32 MTU=1500
Wed Feb 13 09:28:10 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.168.0.2/255.255.255.0 on interface {6091B0CB-A2B0-40C2-A3EA-489F0D002888} [DHCP-serv: 172.168.0.0, lease-time: 31536000]
Wed Feb 13 09:28:10 2008 Successful ARP Flush on interface [3] {6091B0CB-A2B0-40C2-A3EA-489F0D002888}
Wed Feb 13 09:28:10 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Wed Feb 13 09:28:10 2008 Route: Waiting for TUN/TAP interface to come up...
Wed Feb 13 09:28:11 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Wed Feb 13 09:28:11 2008 Route: Waiting for TUN/TAP interface to come up...
Wed Feb 13 09:28:12 2008 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Wed Feb 13 09:28:12 2008 Initialization Sequence Completed
Wed Feb 13 09:28:25 2008 TCP/UDP: Closing socket
Wed Feb 13 09:28:25 2008 Closing TUN/TAP interface
Wed Feb 13 09:28:25 2008 SIGTERM[hard,] received, process exiting

The scenario is :

Ebox server ip at eth0    = 100.100.1.1/30
                         eth0:0 = 192.168.1.1/30
                         eth0:1 = 192.168.2.1/30
                         eth1  = 192.168.0.1/30
                         eth1:0  = 172.168.2.1/24

Client 1 = 192.168.1.2/30
Client 2 = 192.168.2.2/30

Client 1 and client 2 success ping the Ebox server trought eth0 Ebox server (LAN/WAN) and success connected to the Ebox VPN with OpenVPN client and got DHCP ip 172.168.2.2 and 172.168.2.10.

Another problem is, my Windows DHCP client not get a gateway ip 172.168.2.1 and DNS ip. So, after connected, I CAN'T ping the Ebox server and CAN'T resolve local domain.

What should I do? Thanks for help. 
« Last Edit: February 12, 2008, 03:52:40 am by mujie »

mujie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: eBox-XEN-OpenVPN problem
« Reply #5 on: February 13, 2008, 01:17:00 pm »
Hhhmh.. from google I was found it's OpenVPN problem, not a DHCP server. I don't know about the Ebox firewall, because I didn't change any firewall configuration. Until now, I still can't solve problem.

Updated :
After trial and error, I was successfully ping to VPN ip gateway. The problem is eth1:0  = 172.168.2.1/24 virtual interfaces. I deleted this configuration and then I can ping it.
« Last Edit: February 14, 2008, 07:33:52 am by mujie »